Novell ZENWORKS ENDPOINT SECURITY MANAGEMENT Administration Guide
AUTHORIZED DOCUMENTATION
Administration Guide
Novell®
ZENworks® Endpoint Security Management
novdocx (en) 17 September 2009
3.5
March 31, 2009
www.novell.com
ZENworks Endpoint Security Management Administration Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information
on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 17 September 2009
Copyright © 2007-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 17 September 2009
novdocx (en) 17 September 2009
4 ZENworks Endpoint Security Management Administration Guide
Contents
About This Guide 9
1 ZENworks Endpoint Security Management 11
1.1 ZENworks Endpoint Security Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.1 ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.2.2 Reliable Time Stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3 About the ZENworks Endpoint Security Management Manuals. . . . . . . . . . . . . . . . . . . . . . . . 14
1.4 USB/Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2 Policy Distribution Service 17
2.1 About the Policy Distribution Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.1 Server Selection and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1.2 Server Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1.3 Upgrading the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1.4 Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2 Securing Server Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.1 Physical Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.2 Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.3 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3 Running the Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
novdocx (en) 17 September 2009
3 Configuring the Directory Service 21
3.1 Configuring the Directory Service for Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2 Configuring the Directory Service for Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . 28
4 Using the ZENworks Endpoint Security Management Service 37
4.1 About the Management Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.1.1 Server Selection and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.1.2 Server Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.1.3 Upgrading the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.1.4 Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2 Securing Server Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2.1 Physical Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2.2 Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.3 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.4 Running the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.3 Distributing and Renewing ZENworks Endpoint Security Management Credentials . . . . . . . . 39
4.3.1 Distributing Endpoint Security Management Credentials (Key Management Key) . . 39
4.3.2 Periodic Renewal of the Key Management Key (KMK) . . . . . . . . . . . . . . . . . . . . . . . 40
5 Using the ZENworks Storage Encryption Solution Management Console 41
5.1 Using the Console Taskbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.1.1 Policy Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1.2 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Contents 5
5.1.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.1.4 Endpoint Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.2 Using the Console Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.3 Using the Configuration Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3.1 Infrastructure and Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3.2 Authenticating Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.3.3 Service Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.4 Using Alerts Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.4.1 Configuring Endpoint Security Management for Alerts . . . . . . . . . . . . . . . . . . . . . . . 48
5.4.2 Configuring Alert Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.4.3 Managing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.5 Using Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.5.1 Using the Reports Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.5.2 Adherence Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.5.3 Alert Drill-Down Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.5.4 Application Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.5.5 Endpoint Activity Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.5.6 Encryption Solutions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.5.7 Client Self Defense Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.5.8 Integrity Enforcement Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.5.9 Location Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.5.10 Outbound Content Compliance Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.5.11 Administrative Overrides Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.5.12 Endpoint Updates Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.5.13 USB Devices Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.5.14 Wireless Enforcement Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.6 Generating Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.6.1 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.6.2 Creating a ZENworks Endpoint Security Management Compliant Report. . . . . . . . . 61
5.6.3 Available Reporting Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.6.4 Creating a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.7 Using the ZENworks Storage Encryption Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.7.1 Understanding the ZENworks Storage Encryption Solution . . . . . . . . . . . . . . . . . . . 71
5.7.2 Sharing Encrypted Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.8 Managing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.8.1 Exporting Encryption Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.8.2 Importing Encryption Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.8.3 Generating a New Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
novdocx (en) 17 September 2009
6 Creating and Distributing Security Policies 75
6.1 Navigating the Management Console UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.1.1 Using the Policy Tabs and Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.1.2 Using the Policy Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.2 Creating Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.2.1 Global Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.2.2 Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.2.3 Integrity and Remediation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.2.4 Compliance Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.2.5 Publishing Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.3 Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6.3.1 Show Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6.3.2 Error Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6.3.3 Custom User Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.3.4 Hyperlinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.3.5 Defined Location Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
6.3.6 Network Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6 ZENworks Endpoint Security Management Administration Guide
6.3.7 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.3.8 TCP/UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6.3.9 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
6.3.10 Application Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
6.3.11 Rule Scripting Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
6.4 Importing and Exporting Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.4.1 Importing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.4.2 Exporting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.4.3 Exporting Policies to Unmanaged Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.5 Sample Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
6.5.1 Create Registry Shortcut (VB Script) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
6.5.2 Allow Only One Connection Type (JScript) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
6.5.3 Stamp Once Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
7 Managing the Endpoint Security Client 3.5 175
7.1 Understanding the Endpoint Security Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
7.2 Installing and Uninstalling the ZENworks Security Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
7.2.1 Installing the Endpoint Security Client 3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
7.2.2 Uninstalling the Endpoint Security Client 3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
7.3 Understanding Client Self Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
7.4 Upgrading the Endpoint Security Client 3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.4.1 Setting the Upgrade Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.5 Running the Endpoint Security Client 3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.5.1 Multiple User Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.5.2 Machine-Based Policies (Active Directory Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.5.3 Distributing Unmanaged Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.6 Using the Endpoint Security Client Diagnostics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
7.6.1 Creating a Diagnostics Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
7.6.2 Administrator Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
7.6.3 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
7.6.4 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
novdocx (en) 17 September 2009
8 Managing the Endpoint Security Client 4.0 191
8.1 Understanding the Endpoint Security Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
8.2 Installing and Uninstalling the ZENworks Security Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
8.2.1 Installing the Endpoint Security Client 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
8.2.2 Uninstalling the Endpoint Security Client 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
8.3 Running the Endpoint Security Client 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
8.3.1 Multiple User Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
8.3.2 Machine-Based Policies (Active Directory Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
8.3.3 Distributing Unmanaged Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
8.4 Using the Endpoint Security Client Diagnostics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
8.4.1 Creating a Diagnostics Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
8.4.2 Administrator Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8.4.3 Module List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
8.4.4 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
9 Using ZENworks Endpoint Security Management Utilities 203
9.1 Using the ZENworks File Decryption Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
9.1.1 Using the File Decryption Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
9.1.2 Using the Administrator Configured Decryption Utility . . . . . . . . . . . . . . . . . . . . . . . 204
9.2 Using the Override-Password Key Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Contents 7
A Acronym Glossary 207
novdocx (en) 17 September 2009
8 ZENworks Endpoint Security Management Administration Guide
About This Guide
This Novell® ZENworks® Endpoint Security Management Administration Guide is written for
ZENworks Endpoint Security Management Administrators who are required to manage the
Endpoint Security Management services, create security policies for the enterprise, generate and
analyze reporting data, and provide troubleshooting for end users. Instructions for completing these
tasks are provided in this manual.
The information in this guide is organized as follows:
Chapter 1, “ZENworks Endpoint Security Management,” on page 11
Chapter 2, “Policy Distribution Service,” on page 17
Chapter 3, “Configuring the Directory Service,” on page 21
Chapter 4, “Using the ZENworks Endpoint Security Management Service,” on page 37
Chapter 5, “Using the ZENworks Storage Encryption Solution Management Console,” on
page 41
Chapter 6, “Creating and Distributing Security Policies,” on page 75
novdocx (en) 17 September 2009
Chapter 7, “Managing the Endpoint Security Client 3.5,” on page 175
Chapter 8, “Managing the Endpoint Security Client 4.0,” on page 191
Chapter 9, “Using ZENworks Endpoint Security Management Utilities,” on page 203
Appendix A, “Acronym Glossary,” on page 207
Audience
This guide is written for the ZENworks Endpoint Security Management administrators.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to the Novell Documentation Feedback site (http://www.novell.com/
documentation/feedback.html) and enter your comments there.
Additional Documentation
ZENworks Endpoint Security Management is supported by other documentation (in both PDF and
HTML formats) that you can use to learn about and implement the product. For additional
documentation, see the ZENworks Endpoint Security Management 3.5 documentation Web site
(http://www.novell.com/documentation/zesm35).
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
®
A trademark symbol (
trademark.
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
About This Guide 9
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux*, should use forward slashes as required by your software.
novdocx (en) 17 September 2009
10 ZENworks Endpoint Security Management Administration Guide
1
ZENworks Endpoint Security
novdocx (en) 17 September 2009
Management
Novell® ZENworks® Endpoint Security Management provides complete, centralized security
management for all endpoints in the enterprise. Because ZENworks Endpoint Security Management
applies security at the most vulnerable point, the endpoint, all security settings are applied and
enforced regardless of whether the user is connecting to the network directly, dialing in remotely, or
even not connecting to corporate infrastructure at all. This is critical to not only protect the data
within the corporate perimeter, but also to protect the critical data that resides on the endpoint device
itself.
ZENworks Endpoint Security Management automatically adjusts security settings and user
permissions based on the current network environment characteristics. A sophisticated engine is
used to determine the user's location and automatically adjusts firewall settings and permissions for
applications, adapters, hardware, etc.
Security is enforced through the creation and distribution of ZENworks Endpoint Security
Management security policies. Each location (Work, Home, Alternate, Airport, etc.) listed in a
security policy is assigned to a network environment (or multiple network environments). A location
determines which hardware is available and the degree of firewall settings that are activated within
the network environment. The firewall settings determine which networking ports, access control
lists (ACLs), and applications are accessible/required. Various integrity checks and scripts can be
run at location change to ensure that all required security software is up to date and running.
1
Figure 1-1 Effectiveness of NDIS-Layer Firewall
In securing mobile devices, ZENworks Endpoint Security Management is superior to typical
personal firewall technologies, which operate only in the application layer or as a firewall-hook
driver. ZENworks Endpoint Security Management client security is integrated into the Network
Driver Interface Specification (NDIS) driver for each network interface card (NIC), providing
security protection from the moment traffic enters the computer. Differences between ZENworks
Endpoint Security Management and application-layer firewalls and filter drivers are illustrated in
Figure 1-1, “Effectiveness of NDIS-Layer Firewall,” on page 11.
ZENworks Endpoint Security Management
11
Security decisions and system performance are optimized when security implementations operate at
the lowest appropriate layer of the protocol stack. With the ZENworks Security Management
Endpoint Security Client, unsolicited traffic is dropped at the lowest levels of the NDIS driver stack
by means of Adaptive Port Blocking (stateful packet inspection) technology. This approach protects
against protocol-based attacks, including unauthorized port scans, SYN Flood, NetBIOS, and
DDOS attacks.
1.1 ZENworks Endpoint Security Management Overview
ZENworks Endpoint Security Management consists of four high-level functional components:
Policy Distribution Service
Management Service
Management Console
Endpoint Security Client
The figure below shows these components in the architecture:
novdocx (en) 17 September 2009
Figure 1-2 ZENworks Endpoint Security Management Architecture
Endpoint Security Management
Central Management
Location Secure
Active Directory,
LDAP, or NT Domain
Directory Service
Enterprise Perimeter
ZENworks
Management
Group
Info
Management
Service
Console
SSL Link
SQL
Database
Policy
Distribution
Service
Enterprise
Web Server
DMZ
(Demilitarized Zone)
Encrypted
Policy
Reporting
Information
ZENworks
Security
Client
Office
Home
Coffee
Shop
On The
Road
The Endpoint Security Client is responsible for enforcement of the distributed security policies on
the endpoint system. When the Endpoint Security Client is installed on all enterprise computers,
these computers (endpoints) can now travel outside the corporate perimeter and maintain their
security, while endpoints inside the perimeter receive additional security checks within the perimeter
firewall.
12 ZENworks Endpoint Security Management Administration Guide
Each Central Management component is installed separately, the following components are installed
on servers that are secured inside the corporate perimeter:
Policy Distribution Service: Responsible for the distribution of security policies to the
Endpoint Security Client, and retrieval of reporting data from the Endpoint Security Clients.
The Policy Distribution Service can be deployed in the DMZ or outside the enterprise firewall,
to ensure regular policy updates for mobile endpoints.
Management Service: Responsible for user policy assignment and component authentication;
reporting data retrieval, creation and dissemination of ZENworks Endpoint Security
Management reports; and security policy creation and storage.
Management Console: The visible user interface, which can run directly on the server hosting
the Management Service or on a workstation residing inside the corporate firewall with
connection to the Management Service server. The Management Console is used to configure
the Management Service and to create and manage user and group security policies. Policies
can be created, copied, edited, disseminated, or deleted using the Management Console.
1.2 System Requirements
novdocx (en) 17 September 2009
Server System Requirements Client System Requirements
Operating Systems:
Microsoft* Windows* 2003 Server
Processor:
3.0 GHz Pentium* 4 HT (or greater)
756 MB RAM minimum (1 GB+ Recommended)
Disk Space:
500 MB - Without local Microsoft SQL database
5 GB - With local MS SQL database (SCSI
recommended)
Required Software:
Supported RDBMS (SQL Server Standard, SQL
Server Enterprise, Microsoft SQL Server 2000
SP4, or SQL 2005)
Microsoft Internet Information Services (configured
for SSL)
Supported Directory Services (eDirectory, Active
Directory, or NT Domains*)
.NET framework 3.5 (servers and Management
Control only)
Operating Systems for Endpoint Security Client 3.5:
Windows XP SP1
Windows XP SP2
Windows 2000 SP4
Operating Systems for Endpoint Security Client 4.0:
Windows Vista SP1 (32-bit)
Processor:
600MHz Pentium 3 (or greater)
Minimum 128 MB RAM (256 MB or greater
recommended
Disk Space:
5 MB required, 5 additional MB recommended for
reporting data
Required Software:
Windows 3.1 Installer
All Windows updates should be current
Standalone Management Control:
Supported RDBMS (SQL Server Standard, SQL
Server Enterprise, Microsoft SQL Server 2000
SP4, SQL 2005, SQL Express)
ZENworks Endpoint Security Management 13
1.2.1 ASP.NET
The Policy Distribution and Management services require a LOCAL account of ASP.NET to be
enabled. If this is disabled, the services will not work correctly.
1.2.2 Reliable Time Stamp
The Novell ZENworks Endpoint Security Management solution gathers data from multiple sources
and collates this data to create a wide variety of security and audit reports. The utility and probative
value of these reports is greatly diminished if disparate sources disagree as to times, and so it is
strongly recommended that anyone installing ZENworks Endpoint Security Management provide
for enterprise-wide time synchronization (such as that provided by Active Directory* or through the
use of Network Time Protocol).
ZENworks Endpoint Security Management Administrators should follow all installation, operation,
and maintenance recommendations provided in this document and the ZENworks Endpoint Security
Management Installation Guide in order to ensure a strong security environment.
1.3 About the ZENworks Endpoint Security
novdocx (en) 17 September 2009
Management Manuals
The ZENworks Endpoint Security Management manuals provide three levels of guidance for the
users of the product.
ZENworks Endpoint Security Management Administration Guide: This guide is written for the
ZENworks Endpoint Security Management Administrators who manage the ZENworks
Endpoint Security Management services, create security policies for the enterprise, generate
and analyze reporting data, and provide troubleshooting for users. Instructions for completing
these tasks are provided in this manual. This is the guide you are currently reading.
ZENworks Endpoint Security Management Installation Guide: This guide provides complete
installation instructions for the ZENworks Endpoint Security Management components and
assists the administrator in getting those components up and running.
ZENworks Endpoint Security Client 3.5 User Guide: This manual is written to instruct the end
user on the operation of the Endpoint Security Client running on Windows XP and Windows
2000. This guide can be sent to all employees in the enterprise to help them understand how to
use the Endpoint Security Client.
ZENworks Endpoint Security Client 4.0 User Guide: This manual is written to instruct the end
user on the operation of the Endpoint Security Client running on Windows Vista. This guide
can be sent to all employees in the enterprise to help them understand how to use the Endpoint
Security Client.
1.4 USB/Wireless Security
ZENworks USB/Wireless Security (UWS) is a simplified version of the product that provides
comprehensive USB control, connectivity security, and file encryption features. ZENworks USB/
Wireless Security does not include some of the additional security features that are available in
ZENworks Endpoint Security Management. If you have purchased USB/Wireless Security rather
than ZENworks Endpoint Security Management, all functionality described in this manual will be
essentially the same, with only certain policy features unavailable in the Management Console.
14 ZENworks Endpoint Security Management Administration Guide
The unavailable features have been marked with the following notation on their respective pages:
NOTE: This feature is only available in the ZENworks Endpoint Security Management installation,
and cannot be used for USB/Wireless Security security policies.
Features without this notation are available for both ZENworks Endpoint Security Management and
UWS security policies.
To verify which version you are running, open the “About” screen from the Help menu in
Management Console (see Section 5.2, “Using the Console Menu Bar,” on page 43).
novdocx (en) 17 September 2009
ZENworks Endpoint Security Management 15
novdocx (en) 17 September 2009
16 ZENworks Endpoint Security Management Administration Guide
2
Policy Distribution Service
The Policy Distribution Service in Novell® ZENworks® Endpoint Security Management is a web
service application that, when requested, distributes security policies and other necessary data to
Endpoint Security Clients on endpoint computers in your enterprise. Endpoint Security Management
security policies are created and edited with the Management Service's Management Console, then
published to the Policy Distribution Service, from where they are downloaded by the client at checkin.
The following graphic illustrates the role of the Policy Distribution Service:
novdocx (en) 17 September 2009
2
The following sections contain additional information:
Section 2.1, “About the Policy Distribution Service,” on page 17
Section 2.2, “Securing Server Access,” on page 18
Section 2.3, “Running the Service,” on page 19
2.1 About the Policy Distribution Service
The Policy Distribution Service authenticates Endpoint Security Clients based on the user ID
credentials obtained from the Management Service, and supplies each client with the designated
security policy.
Reporting data is collected by Endpoint Security Clients and passed up to the Policy Distribution
Service. This data is periodically collected by the Management Service and then deleted from the
Policy Distribution Service.
The Policy Distribution Service does not initiate any communications with the other Endpoint
Security Management components, and only responds to others. It does not hold sensitive data in the
clear, nor does it hold the keys needed to decrypt the sensitive data. It does not hold user credentials
or any other user-specific data.
Section 2.1.1, “Server Selection and Installation,” on page 18
Section 2.1.2, “Server Maintenance,” on page 18
Section 2.1.3, “Upgrading the Software,” on page 18
Section 2.1.4, “Uninstall,” on page 18
Policy Distribution Service
17
2.1.1 Server Selection and Installation
See the ZENworks Endpoint Security Management Installation Guide for selection and installation
instructions.
2.1.2 Server Maintenance
It is recommended that regular disk cleanup tasks be configured to run on this server to remove
temporary files from the
generate an inordinate amount of temporary files that needlessly consume disk space.
Windows\temp
folder. Under extreme load conditions, Windows can
2.1.3 Upgrading the Software
To upgrade your software from one release to another, you must uninstall the old release and install
the new release. Complete instructions are provided in “Upgrading” in the ZENworks Endpoint
Security Management Installation Guide.
2.1.4 Uninstall
novdocx (en) 17 September 2009
To uninstall the Policy Distribution Service, use the Add/Remove Programs function in the
Windows Control Panel, or run the installation again from the ZENworks Endpoint Security
Management installation CD.
2.2 Securing Server Access
The following sections contain information to help you secure access to your ZENworks Endpoint
Security Management server:
Section 2.2.1, “Physical Access Control,” on page 18
Section 2.2.2, “Network Access Control,” on page 19
Section 2.2.3, “High Availability,” on page 19
2.2.1 Physical Access Control
Physical access to the Distribution Service Server should be controlled to prevent access by
unauthorized parties. Measures taken should be appropriate to the risks involved. There are multiple
available standards and guidelines available, including NIST recommendations, HIPAA
requirements, ISO/IEC 17799, and less formal collections of recommendations such as CISSP or
SANS guidelines. Even when a given regulatory frameworks is not applicable, it may still act as a
valuable resource and planning guide.
Likewise, Disaster Recovery and Business Continuity mechanisms to protect the Distribution Server
should be put in place to protect the server if an organizational risk assessment identifies a need for
such steps. The mechanisms best used will depend on the specifics of the organization and its
desired risk profile, and cannot be described in advance. The same standards and guidelines sources
listed above can be helpful in this decision as well.
18 ZENworks Endpoint Security Management Administration Guide
2.2.2 Network Access Control
The Distribution Server can be further protected from unauthorized access by restricting network
access to it. This may take the form of some or all of the following:
Restricting incoming connection attempts to those ports and protocols from which a valid
access attempt might be expected
Restricting outgoing connection attempts to those IP addresses to which a valid access attempt
might be expected
Restricting outgoing connection attempts to those ports and protocols to which a valid access
attempt might be expected
Such measures can be imposed through the use of standard firewall technology.
2.2.3 High Availability
High Availability mechanisms for the Distribution Server should be put in place if an organizational
risk assessment identifies a need for such steps. There are multiple alternative mechanisms for
building high availability solutions, ranging from the general (DNS round-robining, layer 3
switches, etc.) to the vendor specific (the Microsoft* web site has multiple resources on high
availability web services and clustering issues). Those implementing and maintaining a ZENworks
Endpoint Security Management solution should determine which class of high availability solution
is most appropriate for their context. Note that the Distribution Server has been architected to
function in non-high-availability situations, and does not require High Availability to provide its
services.
novdocx (en) 17 September 2009
2.3 Running the Service
The Policy Distribution Service launches immediately following installation, with no reboot of the
server required. The Management Console can adjust upload times for the Distribution Service
using the Configuration feature (see Section 5.3.1, “Infrastructure and Scheduling,” on page 44).
Policy Distribution Service 19
novdocx (en) 17 September 2009
20 ZENworks Endpoint Security Management Administration Guide
3
Configuring the Directory Service
After you install ZENworks® Endpoint Security Management, you must create and configure a
directory service before you can start managing devices in your system.
The New Directory Service Configuration Wizard lets you create a directory service configuration
that defines the scope of your ZENworks Endpoint Security Management client installations. The
new configuration uses your existing directory service to define the logical boundary for your userbased and computer-based client installations.
The wizard guides you through the process of selecting the directory service and the containers
where current and future client accounts reside.
The wizard also lets you synchronize the directory entries included in the new configuration. This
synchronization is performed in the background so you can immediately begin using your new
configuration.
The following sections contain more information:
novdocx (en) 17 September 2009
3
Section 3.1, “Configuring the Directory Service for Novell eDirectory,” on page 21
Section 3.2, “Configuring the Directory Service for Microsoft Active Directory,” on page 28
3.1 Configuring the Directory Service for Novell eDirectory
After installing ZENworks Endpoint Security Management, the New Directory Service
Configuration Wizard automatically displays. If you have just installed the product and the
Welcome page is displayed, skip to Step 4 in the following procedure.
To configure the directory service:
1 In the Management Console, click Too ls > Configuration.
2 Click Authenticating Directories.
3 Click New to launch the New Directory Service Configuration Wizard.
Configuring the Directory Service
21
novdocx (en) 17 September 2009
4 Click Next to display the Select Directory Service page.
5 Select Novell eDirectory as the directory service.
22 ZENworks Endpoint Security Management Administration Guide
6 Specify a friendly name to describe the directory service configuration, then click Next to
display the Connect to Server page.
novdocx (en) 17 September 2009
7 Fill in the fields:
Host Name: Specify the DNS name or IP address of the directory server. If the DNS name
or IP address cannot be authenticated, a bind error message displays.
Port: Specify the port used to connect to the directory server.
Port 389 is the default. If you use a different port to connect to the directory server, you
can specify that port.
Enable Encryption for this Session using TLS/SSL: Select to enable encryption. If you
select this option, the port is automatically changed to 636.
8 Click Next to display the Provide Credentials page.
Configuring the Directory Service 23
novdocx (en) 17 September 2009
9 Fill in the fields:
User name: Specify the account administrator to bind to the directory.
This account serves as the administrator of the directory service configuration. The login
name must be a user who has permission to view the entire directory tree. It is
recommended that this user be the OU administrator.
Password: Specify the password for the account administrator.
This account serves as the administrator of this directory service configuration.
The password should not be set to expire, and this account should never be disabled.
Context: Specify the context in which the account administrator is a member.
10 Click Next to display the Select Directory Partitions page.
24 ZENworks Endpoint Security Management Administration Guide
novdocx (en) 17 September 2009
11 Browse to and select the directory partitions for this configuration, then click Next to display
the Select Client Contexts page.
12 Browse to and select the context(s) for the accounts used in this configuration.
Configuring the Directory Service 25
The Select Client Context(s) page lets you narrow the search to only those contexts that contain
managed users and computers, which improves performance.
Any client installation that attempts to check in with the management server the does not reside
in a selected context results in longer search times.
13 Click Next to display the Select Context(s) for Synchronization page.
novdocx (en) 17 September 2009
14 (Optional) Select the contexts to synchronize as part of the configuration process.
The synchronization is performed in the background so you can immediately begin using your
new configuration. If you have many users and computers to synchronize, this might take a few
hours.
If you do not specify contexts to synchronize, the users and computers in those contexts are
populated in the Management Console when they check in.
Synchronizing contexts pre-populates the Management Console with those users and
computers so that you can immediately perform actions such as creating security policies.
When the users or computers check in to the system, those policies are pushed down and
applied. By pre-populating the Management Console, you can immediately begin creating
policies that are specific to individual users or computers, rather than creating a policy that
applies to all users and computers in the context. If you do not synchronize the context, you
must wait until those users and computers check in to the system before creating unique
policies for different users or computers.
15 Click Next to display the Save Configuration page.
26 ZENworks Endpoint Security Management Administration Guide
novdocx (en) 17 September 2009
16 Review the information, then click Next.
You can click Back to change any settings, if necessary.
17 Click Finish.
When you click Finish, the icon displays in your Windows notification area and the
synchronization begins. You can double-click the icon to display the Directory Services
Synchronization dialog box.
Configuring the Directory Service 27
novdocx (en) 17 September 2009
The synchronization occurs in the background. If you exit the Management Console, the
synchronization stops. When you open the Management Console again, the synchronization
resumes where it left off.
3.2 Configuring the Directory Service for Microsoft Active Directory
After installing ZENworks Endpoint Security Management, the New Directory Service
Configuration Wizard automatically displays. If you have just installed the product and the
Welcome page is displayed, skip to Step 4 in the following procedure.
To configure the directory service:
1 In the Management Console, click Too ls > Configuration.
2 Click Authenticating Directories.
3 Click New to launch the New Directory Service Configuration Wizard.
28 ZENworks Endpoint Security Management Administration Guide
novdocx (en) 17 September 2009
4 Click Next to display the Select Directory Service page.
5 Select Microsoft Active Directory as the directory service.
Configuring the Directory Service 29
6 Specify a friendly name to describe the directory service configuration, then click Next to
display the Connect to Server page.
novdocx (en) 17 September 2009
7 Fill in the fields:
Host Name: Specify the DNS name or IP address of the directory server. If the DNS name
or IP address cannot be authenticated, a bind error message displays.
Port: Specify the port used to connect to the directory server.
Port 389 is the default. If you use a different port to connect to the directory server, you
can specify that port.
Enable Encryption for this Session using Kerberos/NTLM: Select to enable
encryption.
8 Click Next to display the Provide Credentials page.
30 ZENworks Endpoint Security Management Administration Guide
Loading...